What they can do with the PHP can be far mor malicious than anything that can be done with JavaScript.

I mostly agree with you Stephen but with the likes of JavaScript there is the danger of key-logging where people could actively snatch people's details if they didn't know what their doing, but I guess that's no different to a phishing scam website which pretends to be something it isn't.

If so, that is the "browser.tabs.insertRelatedAfterCurrent" value which you could set for false.

It's so much easier to just not upgrade. Almost a year ago, Mozilla asked "why don't people update?" Most of the answers were "we don't like having to spend time turning all the features off so that we have the same functionality we had in the old one." Which is actually a very Bad Thing, because old browsers are insecure browsers.

Scallio: yeah. I may be misunderstanding what it all does, but it seems any site that has the extra headers and the JSON file means my browser (if I had a browser that did this) would log me in whenever I visited that domain.

Is that a good idea?

No, it's an extremely bad idea. But, if you don't supply the manager with credentials it won't be able to log you in, now would it?And I guess it's possible to disable this "functionality".

Scallio: yeah. I may be misunderstanding what it all does, but it seems any site that has the extra headers and the JSON file means my browser (if I had a browser that did this) would log me in whenever I visited that domain.

It's so much easier to just not upgrade. Almost a year ago, Mozilla asked "why don't people update?" Most of the answers were "we don't like having to spend time turning all the features off so that we have the same functionality we had in the old one." Which is actually a very Bad Thing, because old browsers are insecure browsers.

Wonder if MS ever asked that question ...And what the response was ...(besides "my intranet/custom app" won't run on anything else)

Hm, there's quite a few "features" of my browser I'd like to disable, but like 99% of browser users, I'm allergic to crawling through the about:config areas.

I've actually been holding off an upgrade to 3.6 for a list of several things... one of which being the removal of the Properties item in the context menu. Guess what you have to do to regain the same functionality that all other browsers provide? Yes, you must download a plugin : ) And the tabs open in the wrong order. Yikes!I'll see how long I can stay with 3.5.x, but I was also thinking of upgrading to Lucid Lynx at some point... which, after installing all the updates, would likely include FF 3.6+ : (

Stomme poes, when you mention about tabs opening in the wrong order, are you refering to a new tab opening right next to the tab that opened it?

If so, that is the "browser.tabs.insertRelatedAfterCurrent" value which you could set for false.

Indeed, and yes they had PHP Doing Stuff as well. I couldn't tell what they were trying to do with the JS, but overall it wasn't so well done.

In any case, no, I don't think any of us believes NoScript or anything similar can protect against anything coming at us server-side. What I like about NoScript is it blocks objects until I say otherwise, it detects clickjacking, it blocks scripts per domain and I can allow scripts per domain. I believe this functionality should be built into all browsers instead of just JS on/off.

BTW Stephen, what do you think about FF4 having "session management" as mentioned in the article and comments of Pullo's link? Might be the brick that makes me stop using FF for all but site testing.

Anyone who decided to implement that "Tabnapping" phishing attempt would also probably include a meta redirect as a fallback so as to catch out a lot of those who think disabling javaScript will keep them safe.

You can turn meta redirects off. I've seen plugins for this, but I thought there was also a setting alone you could use. The plugin was to stop TinyURLs or let you see the real domain before clicking on a TinyURL.

Just as a further point - the script can't work if a person doesn't visit the page it is on in the first place. So you'd need some form of phishing attack to get them to that page in the first place. You'd need to find a way to get the JavaScript to run on other people's sites (without their knowledge) in order to be able to actually achieve anything by doing it and JavaScript doesn't work that way.

True. This happened to one of our sites, so Google blocked it with a warning. Someone at the hosting company had let some summer student get a password, and they or someone they gave it to got in, added this little PHP script, which itself added Javascript to our pages, which tried to do any of several malicious things (I don't think they were very well written though). Some Philipino l33t h4x0rz with a japanese address for some reason.

What this tells me is, I'd better either keep JS off or use NoScript (I do both between all my Linux browsers) because even the sites I trust, I can't trust.

Someone at the hosting company had let some summer student get a password, and they or someone they gave it to got in, added this little PHP script, which itself added Javascript to our pages, which tried to do any of several malicious things (I don't think they were very well written though).

What they can do with the PHP can be far mor malicious than anything that can be done with JavaScript. That the PHP was used to add JavaScript rather than to do the damage itself meant that it was relatively harmless. PHP has access to do all sorts of things that JavaScript can't do.

The one situation where this sort of phishing attempt really would be effective would be if they were to insert a server side redirect to the fake site into the real site. Better keep clear of PHP, .NET etc just in case someone does just that.

That sounds interesting. What steps has Ruby been taking client-side? Do you have a link or something where I could read up on that?

Not off the top of my head, but I can probably find it again.

The Java stuff was the intro by Sun for a downloadable (so a sort of plugin) JVM using Swing. The Ruby stuff, that might have been "Red" (which is JS written as Ruby) or any of the Iron-* stuff (so Python too). Right now, they're using Silverlight as a crutch. Question is, how long will it stay like that?So I found this: http://www.rubyinside.com/ironruby-silverlight-ruby-in-browser-3192.html...however it's newer link than whatever I first read of the idea of Ruby moving into the client-side. Wherever that was, there were comments in that article mentioning Perl and Python doing the same.

Hmm, don't know what to reply to that.I should've expected that kind of reply though.

The difference between JavaScript and most other languages is that with other languages you don't need any interaction from the owner of the computer. Once you allow the bad code to run it does what it wants without any further intervention required. The worst that can be done with JavaScript is no worse than can be done with just HTML and still requires further action by the browser owner.

Anyone who decided to implement that "Tabnapping" phishing attempt would also probably include a meta redirect as a fallback so as to catch out a lot of those who think disabling javaScript will keep them safe.

It would be far easier and work far better cross browser if the JavaScript used a redirect to a separate page rather than trying to rebuild the phishing page inside the same page anyway as that would resolve the favicon problems and get it to work even on older browsers.

Just as a further point - the script can't work if a person doesn't visit the page it is on in the first place. So you'd need some form of phishing attack to get them to that page in the first place. You'd need to find a way to get the JavaScript to run on other people's sites (without their knowledge) in order to be able to actually achieve anything by doing it and JavaScript doesn't work that way.

Hm, there's quite a few "features" of my browser I'd like to disable, but like 99% of browser users, I'm allergic to crawling through the about:config areas.

I've actually been holding off an upgrade to 3.6 for a list of several things... one of which being the removal of the Properties item in the context menu. Guess what you have to do to regain the same functionality that all other browsers provide? Yes, you must download a plugin : ) And the tabs open in the wrong order. Yikes!I'll see how long I can stay with 3.5.x, but I was also thinking of upgrading to Lucid Lynx at some point... which, after installing all the updates, would likely include FF 3.6+ : (

Except I had to turn on Javascript to see the freakin comments, and to see the comments meant if I didn't keep touching the scrollbar, the stupid Gmail thing would appear. Arg. Annoying.

Still, this is scary to me:

The Fix

This kind of attack once again shows how important our work is on the Firefox Account Manager to keep our users safe. User names and passwords are not a secure method of doing authentication; it’s time for the browser to take a more active role in being your smart user agent; one that knows who you are and keeps your identity, information, and credentials safe.

No way. I specifically do not allow my browser to store my passwords. I try not to let it store my history. I don't let it (or Google for that matter) suggest urls as I type into my address bar. This is because I believe a browser should be a stupid barrier between me and a site. So this idea that FF4 will have a session manager is going too far for me. A browser who knows your underwear size is a liability when it gets compromised, and so long as it's being asked to run all sorts of scripts (Java is coming back, and Ruby has been taking steps in client-side), it's not secure.

Seriously, I want the NoScript guys to include other browsers, pleeeease. And WebVisum. And a few other things.

Which relies on your not paying attention to what is in your address bar. GMail is not located at http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ which was what my address bar still read when I finally managed to force the script to activate (note I said force as I swapped back and forth a number of times before I finally managed to satisfy its trigger condition). Also the favicon remained unchanged.

You could achieve almost the same thing without JavaScript using a meta redirect to a separate page.